CISSP, Domain 1, Fundamentals of security, IRM

1. Security Fundamentals
Predict – Preempt – Protect
Karthikeyan Dhayalan

2. CIA - Triade

3. Confidentiality
- Anything that needs to be
protected
- Safeguard against unauthorized
access, notice, use
- Protecting data at each stage
(storage, processing, transit)
Threats
• Capturing network traffic
• Unauthorized access to network
• Password dump stealing
• Dumpster diving
• Social engineering
• Port scanning
• Eavesdropping
Countermeasures
• Encryption
• Authentication to systems
• Access control
• Network traffic padding
• Data classification
• End-user training

4. Confidentiality Concepts
• Sensitivity
• Quality of information that could cause harm or damage if released
• Nuclear facility
• Discretion
• Showing prudence or self-restraint when dealing with data of interest
• Public release of military operations
• Criticality
• The level to which the information is critical
• HIGH Critical
• Concealment
• Act of hiding or preventing disclosure
• Steganography
• Secrecy
• Act of keeping information confidential
• Coke formula
• Privacy
• Keeping information about a person under safe custody
• PII/PHI
• Seclusion
• Storing something in an out-of-the way location
• Storage Vault
• Isolation
• Act of keeping something separated from the rest
• DMZ, ODC

5. Integrity
• The capability to maintain the
veracity and be intentionally
modified only by authorized
individuals
• Enforces Accuracy
• Provides Assurance
• Prevent unauthorized modifications
• Prevent unauthorized modifications
by authorized users
• Maintain internal and external
consistency of objects
Threats
• Virus
• Logic bombs
• Errors
• Malicious modifications
• Intentional replacement
• System back door
Countermeasures
• Activity logging
• Access control
• Authentication
• Hashing
• Encryption
• Intrusion detection systems
Integrity is dependent on Confidentiality

6. Availability
Threats
• Device failure
• Software error
• Natural calamity
• Power
• Human error
• oversight
Countermeasures
• RAID
• Redundant systems
• Clustering
• Access control
• BCP/DR
• Fault tolerance
• Provisioning un-interrupted and
timely access to authorized subjects
• Offers high level of assurance that
data shall be available to authorized
subjects
• It includes
• Usability
• Accessibility
• Timeliness
Availability is dependent on both Integrity and confidentiality

7. Security concepts
Identification
 Subject professes
identity
 First step in AAA process
 Username, smart card,
speaking a phrase,
biometric, user ID
 Without identity there
can be no
authentication
Authentication
 Verification of the
claimed Identity
 Verifies identity by
comparing against one
or more factors stored
in the database
 Identification and
authentication are
always together
Authorization
 Comparing the subject,
object and the intended
activity to authorize
actions
 Identification/
Authentication are all or
nothing model, while
Authorization can have
wide range of options
Auditing
 Means by which
subjects actions as
well as system
operations are logged
and monitored
 Helps detect un-
authorized or
abnormal activities
Accountability
 Capability to prove a
subject’s identity and track
their activities.
 Established by linking a
human to the activities of
an online identity
 Ultimately dependent on
the strength of
Authentication factor
Nonrepudiation
 Ensures the subject of an activity
cannot deny the action
 Can be established via digital certs, session
identifiers, transaction logs

8. Security Control Concepts
 Also known as defense
in depth
 Multiple controls are
applied in series
 Layering should be
applied in series and
not parallel
Layering
 Putting similar
elements in groups,
classes or roles that
are assigned security
controls
 Used for efficiency
 Includes definition of
object and subject
Abstraction
 Preventing data from
being discovered
 Some forms include –
restricting visibility to
high critical application
from low level subjects
Data Hiding
 Hiding the meaning
or intent of a
communication
 It is an important
element in security
controls
Encryption

9. Security Management Plan
• SMP should use a top-down approach
• Senior management is responsible for initiating and defining policies;
• Middle management is responsible for releasing standards, baselines,
guidelines in relation to the policy
• Operations management/IT teams implement the controls defined above
• End-users must comply with all the functions of the organization
• SMP should have Approval from Senior Management before we start
to engage.

10. Security Management Plan Types
SMP Type Description
Strategic
Plan
Long term plan
Defines the organization’s security posture
Useful for at least 5 years. Reviewed annually
Helps understand security function and align it with business
Should include Risk Assessment
Tactical Plan Mid-term plan developed to provide more detailed goal
Usually for an year or two
More technology oriented
Eg: Project plans, acquisition plan, budget plan, hiring plan
Operational
Plan
Short-term plan
Highly-detailed plan
Must be updated often (monthly, quarterly)
Spell-out how to accomplish various goals
Eg: resource allotment, budgetary allocation, training plans

11. Change Management
• Goal – Ensure any change does not lead to compromised or reduced
security
• Purpose – Make all changes subject to detailed documentation, auditing,
review and scrutiny by management
• Helps
• Implement changes in a controlled and orderly manner
• Formalized testing process
• Back out or roll back procedures
• Users are informed before the change
• Effects of change are systematically analysed
• Negative impact is minimized
• Changes are reviewed and approved by CAB

12. Data Classification
- It is the process of
organizing items, objects,
subjects into groups,
categories or collections
with similarities
- Primary means for data
protection
- Used to determine how
much effort, money and
resources are allocated to
protect the data and
control access to it
Benefits
• Benefits
• Demonstrates organization’s
commitment to protecting
assets
• Assists in identifying assets
that are critical for the
organization
• Lends credence to the
selection of protection
mechanisms
• Required for regulatory
compliance
• Helps define access levels
• Helps with data life-cycle
management
Criteria
• Usefulness
• Timeliness
• Value
• Maturity or age of data
• Life time of the data
• Association with personal
• Disclosure damage assessment
• Modification damage
• National security
• Authorized access to data
• Restriction from the data
• Maintenance and monitoring
• Storage

13. 7 Step Classification scheme
Identify owner and
define
Responsibility
Specify evaluation
criteria
Classify and label
each resource
Document any
exceptions to the
classification policy
Select the security
controls that will be
applicable
Specify
declassification
procedures
Create awareness
program

14. Classification Scheme
•Top Secret
•Secret
•Confidential
•Sensitive
•Unclassified
Confidential/Private
Sensitive
Public
Government/Military
Commercial/Business
In Military, Classified is used to denote any data that is
ranked above the unclassified level

15. Security roles •Ultimately responsible for security
•Must signoff all policy issues
•All activities must be approved
•Will be held responsible for overall security success/failure
•Responsible for due care and due diligence
Senior Management
•Responsible for following the directives mandated by SM
•Has the functional responsibility for security
•They are not decision makers
Security Professional
•Responsible for classifying information
• Ultimately responsible for the data they own
•Typically high level management representative
Data Owner
•Responsible for tasks of implementing the prescribed protection defined by Data
owner
•Responsibilities include, preforming/testing backups, validating data integrity,
deploying security solutions and managing data storage based on classification
Data Custodian
•Has access to the secure system
•Responsible for understanding and upholding the security policyUser
•Responsible for reviewing and verifying the security policy implementation
•Produces compliance and effectiveness reportsAuditor

16. Due Care and Due Diligence
Due Care
• Taking reasonable care in protecting the organization
• It’s a legal term – it pertains to the legal duty of the
organization
• Lack of due care is considered negligence
Due Diligence
• Practicing the activities that maintain the due care effort
• Pertains to best practices that a company should follow
• It might not be legally liable

17. Security Policy
- Strategic plan for implementing
security
- Defines the scope of security needed
for the organization
- Defines the main security objectives
and outlines the security framework
- Identifies major functional areas of
data processing
- Broadly outlines the security goals and
practices that should be employed
- Its is used to assign responsibilities,
define roles, specify audit
requirements, outline enforcement
process, indicate compliance
requirements, and define acceptable
risk levels
It’s a compulsory document
Types
Organizational Security policy –
focuses on issues relevant to every aspect of the
organization
Issue-specific policy –
focuses on specific service, department, function that
is distinct from the organization as a whole
System-specific policy –
Focuses on individual systems

18. Security Categories
Regulatory
• Required
whenever
industry or
legal
standards are
applicable to
your
organization
Advisory
• Discusses
behaviors and
activities are
acceptable
and defines
consequences
of violation
Informative
• Designed to
provide
information or
knowledge
about a
specific
subject
• Not
enforceable

19. Standard/Baseline/Guideline/Procedure
Standard
• Define compulsory
requirements
• Provides a course
of action for
uniform
deployment of
technology
• Tactical documents
Baseline
• Defines minimum
level of security
that every system
must meet
• System-specific
• Establishes
common secure
state
Guideline
• Offers
recommendations
on
implementation
• Servers as an
operating guide
• Flexible – can be
customized for
each unique
system
Procedure
• Final element of
the formalized
security policy
structure
• Detailed step-by-
step document
describes actions
necessary to
implement
security mandates
• System and
software specific
• Purpose is to
ensure integrity of
business process

20. Threat Modelling
- A process where potential threats are identified, categorized,
and analysed
- Can be performed both pro-actively as well as reactively
- Two goals of threat modelling
- Reduce the number of security related coding and design
defects
- Reduce the severity of remaining defects
Proactive Approach
- Also known as defensive approach
- Takes place during early stages of systems development
- Based on predicting threats and design specific counter
measures during the coding and crafting process
Reactive Approach
- Also known as adversarial approach
- Takes place after a product has been created and
deployed
- This is the core concept behind ethical hacking, PT,
source code review and Fuzz testing

21. Threat Modelling Steps
Identifying
Threats
Determining and
Diagramming
Potential attacks
Performing
Reduction
Analysis
Prioritization
and Response

22. Identifying Threats – STRIDE approach
Microsoft Threat categorization scheme
SPOOFING
TAMPERING
REPUDIATION
INFORMAITON DISCLOSURE
DENIAL OF SERICE
ELEVATION OF PRIVILEGES

23. Determining and Diagramming Potential Attacks
• Post identifying threats, the next step is to determine
the potential attack concepts that could materialize
• Often accomplished by data flow diagrams, privilege
boundaries, and elements involved
• Once diagram has been crafted, identify all the
technologies involved.
• Identify attacks that could be targeted at each element
of the diagram
• Attacks should include all forms – logical, physical, social

24. Perform Reduction Analysis
• Involves decomposing the application, system or environment
• Purpose of this process is to get a greater understanding on the purpose of
the product and its interactions with external entities
• Each element should be evaluated to understand inputs, processing,
security, data management, storage and output
• 5 key concepts to be aware of
• Trust Boundaries – location where the level of trust changes
• Data flow paths – movement of data between locations
• Input points – locations where external input is received
• Privilege Operations – Activity that requires greater privileges
• Security stance and approach – Declaration of the security policy,
security foundation and security assumptions

25. Prioritization and Response
• Document the threat – define the means, target and consequences of a
threat
• After documentation, rank or rate the threats
• DREAD Rating System
• Damage potential
• Reproducibility
• Exploitability
• Affected Users
• Discoverability

26. Karthikeyan Dhayalan